Payment card fraud and how to avoid it

We all know to cover the keypad for security as we enter our PINs at ATMs and when making purchases, and most of us have a healthy paranoia about handing out our credit card details. But somehow, payment card fraud in Australia still more than doubled between 2010-11 and 2014-15 – from $1 billion in unauthorised transactions in 2011 to $2.1 billion in 2015.

How big is the problem?

It depends on where you get your data. The above stats, the latest from the Australian Bureau of Statistics (ABS), don't quite jibe with the calendar year 2015 numbers from the Australian Payments Clearing Association (APCA), the peak body representing the payments industry.

According to APCA, Australians spent $1.92 trillion in 2015 using either cards or cheques, and a mere 0.025% of the transactions, or $469 million worth, were fraudulent. When it came to cards alone, $460 million was lost to crooks (locally as well as overseas).

When asked about the discrepancy, an APCA spokesperson explained that the ABS stats are based on a large-scale household survey, while the industry's stats come from financial institutions.

About a million people with Australian issued cards were victimised by some kind of card fraud in 2014-15, mostly by cybercriminals.

In 2014, 58.8 cents per $1000 was lost to card fraud; in 2015, the figure was 66.8 cents per $1000.

Cardholders managed to get back most of the ABS's reported $2.1 billion lost in 2015 from their financial institutions. These are obligated to reimburse cardholders as long as they notify the institution in a reasonable timeframe and weren't overly negligent.

As the regulatory document, the ePayments Code, puts it: "A [card]holder is not liable for loss arising from an unauthorised transaction where it is clear that a user has not contributed to the loss."

Still, about $84 million of the pilfered billions was never paid back.

Present danger

These days lost or stolen cards or counterfeit cards created through skimming at ATM machines and other terminals (especially those in taxis and convenience stores) are a small part of the problem. The real worry is money lost at the hands of cyber criminals through "card not present" scams, where fraudsters get a hold of your credit card details stored on a computer or smartphone using phishing or malware techniques.

And the baddies aren't just targeting personal devices. Data breaches at companies that have your payment card on file – another form of "card not present' fraud – are also on the rise.

In the current card security climate, "card not present" flimflams are how your money disappears eight times out of 10, and the incidence of such scams went up 38% between 2014 and 2015. Most of this type of fraud – 62% – is perpetrated overseas.

So when it comes to preventing money from going missing from your account, it's more about online security (see the five rules of living scam-free below) and less about blocking your PIN from probing micro-cameras at ATMs (though that's still a good idea).

Getting your card skimmed overseas

The security advantages of new chip technology on cards issued in Australia has been a big factor in pushing local fraud online. There was 10% less skimming (or the use of counterfeit cards loaded with the victim's bank details 'skimmed' from ATM and other payment terminals) in Australia in 2015 than in 2014.

Overall, 79% of the fraud on Australian-issued cards in 2015 was of the "card not present" variety, while 11% was skimming related. Lost or stolen cards accounted for only 7% of fraud last year.

But for Aussies traveling abroad in countries where outdated magnetic strip technology remains in place (notably the US), the skimmers are still raking it in.

While skimming dropped significantly in Australia in 2015 as compared to 2014, it went up 77% for Australian-issued cards used overseas. Last year $28.1 million was stolen from Australian accounts overseas via skimming compared to $6.4 million locally.

If your Australian-issued card gets skimmed overseas, the same rules apply as locally: the financial institution that issued it is liable for reimbursement as long as you let them know in a timely manner.

Which type of Australian-issued cards are the safest?

Type of card

Total amount of fraudulent
transactions including overseas (2015)

Credit Cards: Visa, MasterCard, Amex, and Diners
credit and debit cards (used online, over the phone,
by mail order, or by choosing the 'credit' option at a retailer)

$437.9 million ($363 million from
"card not present", including online, scams)

Proprietary Debit Cards: Bank and Eftpos debit cards
(used when choosing the 'cheque' or 'savings' options at a retailer or ATM)

$22.9 million ($16.5 million from skimming)

While current data is not available for an exact breakdown of credit card vs debit card spend, overall Australians complete about twice as many transactions via debit cards.

Are Visa PayWave and MasterCard PayPass safe?

This biggest potential security issue with contactless or tap-and-go payment card technology at the moment is losing your card and having a crook rack up numerous transactions under $100 – which don't require a signature or PIN – before you find out. This can and does happen.

Both card schemes promise to reimburse you if you get in touch with the card issuer promptly (generally your bank or credit union), but you'll be out of pocket while you're waiting for the process to run its course.

Despite some pushback from consumers at having contactless technology loaded onto their new cards without their consent and some security concerns raised by experts in the field as well as law enforcement, the contactless instant purchase option has proven comparatively safe and popular so far.

Are businesses keeping your data safe?

As part of their agreement with banks that issue Visa and MasterCard credit and debit cards, businesses are meant to be compliant with the Payment Card Industry Data Security Standards (PCIDSS), a set of security requirements aimed at keeping your card details safe.

The standards include things like restricting staff access to cardholder data and changing default passwords that come with card-processing technology. The level of oversight depends on how many transactions are processed per year.

If it's less than 20,000, merchants are advised to do regular self-checks and don't have to undergo on-site third-party assessments.

It's worth noting that retailers have been fined by the card schemes for falling short of the PCIDSS and thereby making your payment cards details vulnerable.

The five rules of living scam-free

By now most people know the basics of keeping your details safe – but crims are getting smarter than ever. Lately there has been a rash of phishing scams in which the fraudsters pose as legitimate government sites or your bank in a very convincing way, so it's best to be vigilant at all times while perusing your emails or shopping online and to continually exercise password discipline.

Check your credit card and debit card account regularly for suspicious activity. If you detect such activity, report it to the card issuer (your bank) immediately. Bank apps are great for this – you can check your account on the fly from your smartphone.

Never give your payment card or other bank details to anyone over the phone unless you placed the call and know and trust the business – the same goes for email requests for this information.

Be extra careful when installing apps on your phone – especially from sources you're not familiar with. They may contain malicious software designed to steal your bank account details.

If you receive an official-looking email from your bank or other business – or from what appears to be a government agency like the ATO – that asks you to click a link to update or verify your details, just don't do it. That's what the delete button is for.

Don't play into the hands of the fraudsters by picking easy-to-guess or obvious passwords – and definitely don't use the same vulnerable password on more than one website. A weird and random combination of letters, numbers and symbols is always best – and consider a password manager for keeping track. Use a different combination for each of your logins, and even the wiliest of crooks won't be able to crack it.